Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Passwords, Dr. Evil and a Solution in Tampa

1.2 billion. It’s a number that inspires people to conjure up their best Dr. Evil impression, although it’s no laughing matter.  1.2 billion compromised passwords is a remarkably stunning and shocking number. It’s also one that has inspired a wave of articles asking “what can we do about this?” Telling people to reset all their passwords isn’t a real answer – we just got through telling them to do the same thing in April after the Heartbleed bug was discovered, and most Americans don’t have the stomach or the time to keep doing this every few months. In the short term, there aren’t any silver bullets: nobody likes the security or usability of passwords, but we’ve had them for a long time because the market has struggled to develop compelling alternatives. These struggles were a major driver behind the issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC).  Some good technologies exist, but higher costs and burdens associated with these technologies mean they are not feasible unless we can use them across multiple sites. As identity virtuoso Tim Bray noted in an article in Time this past week: “The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.” A great thing about my job at NIST is: I get to lead a team of some of the smart people working on this. An even better thing about the job: we’ve been joined by more than 200 companies and organizations in the Identity Ecosystem Steering Group (IDESG) – a private organization established to help support the implementation of NSTIC by tackling the creation of an Identity Ecosystem Framework – essentially the “cooperation and infrastructure” that Bray talks about. IDESG has done awesome work over these last two years, and is making progress each week on version 1.0 of this Identity Ecosystem Framework, with a release target set for early next year. The Framework will provide a set of standards and operating rules that organizations can use to reduce their vulnerability to hackers – enabling their customers to use a set of more secure, privacy-enhancing, easy-to-use, interoperable solutions in lieu of passwords. While we need more work done in the IDESG, we also need more of you. Many hands make light work and many minds make great work.  The more participants we can attract to the effort, the faster we can make progress.  IDESG is set to meet later next month in Tampa, September 17-19, alongside the Global Identity Summit.  Registration is free.  We look forward to you joining us there. While face-to-face working sessions are more productive, if you simply can’t get to Tampa that week, we always offer options for online participation. Check out for more info.

Comments You would be missing out if you guys did not at least read about this awesome technology Steve Gibson is working on in this same exact area. The user experience: Wishing to login to an online service where an “SQRL” code appears nearby: •The user can tap or click directly on the SQRL code to login, or launch their smartphone's SQRL app, and scan the QR code. •For verification, SQRL displays the domain name contained in the SQRL code. •After verifying the domain, the user permits the SQRL app to authenticate their identity. •Leaving the login information blank, the user clicks the “Log in” button... and is logged in. (A bit of page automation could even eliminate the need to click the “Log in” button.) “The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it.”
I've posted at LinkedIn NSTIC group the following message, entitled: API for Identity-Management-as-a-Service with the link to NSTIC team : please contact me at my email address.
I will be coming to Tampa to meet with anybody at NIST that is interested in learning more about novel authentication solutions such as our augmented interactive biometrics. I understand we can meet with a technical representative there. Can you tell me how I might best plan such an introductory meeting? Thank you!

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.